High severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle
CVE-2026-28490
Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
authlibPyPI | < 1.6.9 | 1.6.9 |
Affected products
7- ghsa-coords6 versionspkg:pypi/authlibpkg:rpm/opensuse/python-Authlib&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-Authlib&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/python-Authlib&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-Authlib&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python-Authlib&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6
< 1.6.9+ 5 more
- (no CPE)range: < 1.6.9
- (no CPE)range: < 1.3.1-150600.3.17.1
- (no CPE)range: < 1.5.2-bp160.3.1
- (no CPE)range: < 1.3.1-150600.3.17.1
- (no CPE)range: < 1.3.1-150600.3.17.1
- (no CPE)range: < 1.3.1-150600.3.17.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7432-952r-cw78ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28490ghsaADVISORY
- github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22ghsax_refsource_MISCWEB
- github.com/authlib/authlib/releases/tag/v1.6.9ghsax_refsource_MISCWEB
- github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.